fix(flatfile): harden flat-file backend against injection and traversal attacks
Security fixes for 7 vulnerabilities in database_flatfile.c:
1. Path traversal via crafted JID (HIGH):
_ff_jid_to_dir() now strips '/', '\' -> '_' and collapses '..' -> '__',
preventing a malicious federated JID from escaping the log directory.
2. Log injection via unescaped message body (HIGH):
Add _ff_escape_message()/_ff_unescape_message() -- escape \n, \r, \\
in message text on write, unescape on read. Prevents remote contacts
from injecting fake log lines with forged sender/timestamp/encryption.
3. Metadata field injection (HIGH):
Add _ff_escape_meta_value()/_ff_unescape_meta_value() -- escape |, ],
\\, \n, \r in stanza_id/archive_id/replace_id. Parser uses escape-aware
_ff_find_unescaped_char() and _ff_split_meta() instead of strchr/strsplit.
4. Sender ": " parsing confusion (MEDIUM):
Escape ": " -> "\: " in XMPP resource on write. Parser uses
_ff_find_unescaped_colonspace() + _ff_unescape_sender_resource().
5. LMC correction chain cycle -> infinite loop (MEDIUM):
Add visited hash-set and FF_MAX_LMC_DEPTH (100) limit to chain walker.
6. Unbounded getline() -> OOM (MEDIUM):
Add FF_MAX_LINE_LEN (10 MB) cap in _ff_readline(); overlength lines
are skipped with a warning. Replaces all char buf[8192]/fgets() sites
with dynamic getline() + truncated-line detection at EOF.
7. Symlink attack + TOCTOU on file creation (MEDIUM):
Replace fopen("a") with open(O_WRONLY|O_APPEND|O_CREAT|O_EXCL|O_NOFOLLOW)
+ fdopen() -- atomic new-file detection, symlink rejection via O_NOFOLLOW.
_ff_ensure_dir() checks g_lstat() for symlinks. File permissions 0600
set via open() mode, not post-hoc g_chmod().
This commit is contained in:
@@ -56,7 +56,8 @@ typedef enum {
|
||||
} integrity_level_t;
|
||||
|
||||
// A single integrity issue found during verification
|
||||
typedef struct {
|
||||
typedef struct
|
||||
{
|
||||
integrity_level_t level;
|
||||
char* file;
|
||||
int line;
|
||||
@@ -66,7 +67,8 @@ typedef struct {
|
||||
void integrity_issue_free(integrity_issue_t* issue);
|
||||
|
||||
// Backend vtable: pluggable storage backends implement this interface
|
||||
typedef struct db_backend_t {
|
||||
typedef struct db_backend_t
|
||||
{
|
||||
const char* name;
|
||||
gboolean (*init)(ProfAccount* account);
|
||||
void (*close)(void);
|
||||
|
||||
Reference in New Issue
Block a user